Nortel Secure Network Access Switch
Using the Command Line
Interface
Release: 2.0
Document Revision: 03.01
www.nortel.com
NN47230-100 |
320818-D |
Nortel Secure Network Access Switch
Release: 2.0
Publication: NN47230-100
Document status: Standard
Document release date: 28 July 2008
Copyright © 2007, 2008 Nortel Networks
All Rights Reserved.
Sourced in Canada, the United States of America, and India
LEGAL NOTICE
While the information in this document is believed to be accurate and reliable, except as otherwise expressly agreed to in writing NORTEL PROVIDES THIS DOCUMENT "AS IS "WITHOUT WARRANTY OR CONDITION OF ANY KIND, EITHER EXPRESS OR IMPLIED. The information and/or products described in this document are subject to change without notice.
Nortel, the Nortel logo, and the Globemark are trademarks of Nortel Networks.
All other trademarks are the property of their respective owners.
3
.
Contents
|
Software license |
|
|
|
11 |
|||
|
|
|
|
|
||||
|
New in this release |
|
|
15 |
||||
|
Features |
15 |
|
|
|
|
|
|
|
Other changes |
16 |
|
|
|
|
||
|
|
|
|
|
|
|
|
|
|
Introduction |
|
|
|
|
|
17 |
|
|
Before you begin |
18 |
|
|
|
|||
|
Text conventions |
18 |
|
|
|
|||
|
Related information |
20 |
|
|
|
|||
|
Publications |
20 |
|
|
|
|
||
|
Online |
21 |
|
|
|
|
|
|
|
How to get help |
|
21 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Overview |
|
|
|
|
|
23 |
|
|
The Nortel SNAS |
24 |
|
|
|
|||
|
Elements of the Nortel SNAS 25 |
|
|
|||||
|
Supported users |
25 |
|
|
|
|||
|
Supporting additional users with the software license file 26 |
|
||||||
|
Role of the Nortel SNAS |
27 |
|
|
||||
|
Nortel SNAS clusters 35 |
|
|
|||||
|
Interface configuration |
35 |
|
|
||||
|
Nortel SNAS configuration and management tools 36 |
|
||||||
|
Nortel SNAS configuration roadmap |
37 |
|
|||||
|
|
|
|
|
|
|
|
|
|
Initial setup |
|
|
|
|
|
41 |
|
|
Before you begin |
41 |
|
|
|
|||
|
About the IP addresses |
42 |
|
|
||||
|
Initial setup 43 |
|
|
|
|
|
|
|
|
Setting up a single Nortel SNAS device or the first in a cluster |
43 |
||||||
|
Adding a Nortel SNAS device to a cluster 50 |
|
||||||
|
Next steps |
54 |
|
|
|
|
|
|
|
Applying and saving the configuration |
55 |
|
|||||
|
|
|
||||||
|
Managing the network access devices |
57 |
||||||
|
Before you begin |
57 |
|
|
|
|||
|
|
|
|
|||||
|
|
Nortel Secure Network Access Switch |
|
|||||
|
|
|
Using the Command Line Interface |
|
||||
|
|
|
NN47230-100 03.01 |
Standard |
|
|||
|
|
|
|
|
28 July 2008 |
|
|
Copyright © 2007, 2008 Nortel Networks
4
Managing network access devices |
58 |
|
||
Roadmap of domain switch commands |
58 |
|||
Adding a network access devices |
60 |
|
||
Deleting a network access devices 64 |
|
|||
Configuring the network access devices |
64 |
|||
Mapping the VLANs |
66 |
|
|
|
Managing SSH keys |
68 |
|
|
|
Monitoring switch health |
73 |
|
|
|
Controlling communication with the network access devices 74 |
||||
Configuring SSCPLite |
74 |
|
|
|
Configuring SNMP Profiles |
75 |
|
|
|
Configuring SNMP Versions |
76 |
|
|
|
Configuring SSCPLite Community |
77 |
|
||
Configuring SNMP Templates 77 |
|
|
Configuring the domain |
|
|
79 |
|
Configuring the domain 79 |
|
|
|
|
Roadmap of domain commands |
81 |
|
||
Creating a domain |
83 |
|
|
|
Deleting a domain |
89 |
|
|
|
Configuring domain parameters |
89 |
|
||
Configuring the Nortel Health Agent check |
92 |
|||
Configuring the SSL server |
97 |
|
|
|
Configuring HTTP redirect |
107 |
|
|
|
Browser-Based Management Configuration |
108 |
|||
Browser-Based Management Configuration with SSL 108 |
||||
Configuring advanced settings 109 |
|
|||
Configuring RADIUS accounting |
110 |
|
||
Configuring local DHCP services |
115 |
|
||
Creation of the location 123 |
|
|
||
Configuring Lumension PatchLink integration 124 |
Configuration of the RADIUS server |
127 |
||
Overview of RADIUS server |
127 |
|
|
802.1x functionality 127 |
|
|
|
Roadmap of RADIUS server configuration commands |
128 |
||
Configuration of the RADIUS server 129 |
|
||
Configuration of the client |
130 |
|
|
Configuration of the realms |
131 |
|
|
Configuration of the dictionary 133 |
|
||
Configuration of the RADIUS accounting 134 |
|
||
Configuration of the RADIUS authentication methods |
134 |
||
Configuration of the EAP authentication methods 136 |
|
||
Select the server certificate |
137 |
|
|
Select the CA certificate |
138 |
|
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
|
|
|
|
|
|
|
|
|
|
|
|
5 |
|
|
|
||||||||||
|
Configuration of Microsoft NAP Interoperability |
139 |
||||||||||
|
Roadmap of NAP configuration commands |
|
139 |
|
|
|||||||
|
Configuration of NAP Interoperability |
140 |
|
|
|
|
||||||
|
Probation Settings |
141 |
|
|
|
|
|
|
|
|
||
|
Remote Network Policy Servers |
142 |
|
|
|
|
||||||
|
System Health Validators |
143 |
|
|
|
|
|
|
||||
|
Configuration of Windows System Health Validator |
144 |
|
|||||||||
|
|
|
|
|
|
|||||||
|
Configuring groups and profiles |
|
|
|
149 |
|||||||
|
Overview |
149 |
|
|
|
|
|
|
|
|
|
|
|
Groups |
150 |
|
|
|
|
|
|
|
|
|
|
|
Linksets |
151 |
|
|
|
|
|
|
|
|
|
|
|
SRS rule 151 |
|
|
|
|
|
|
|
|
|
|
|
|
Extended profiles |
151 |
|
|
|
|
|
|
|
|
||
|
Before you begin |
152 |
|
|
|
|
|
|
|
|
||
|
Configuring groups and extended profiles |
153 |
|
|
||||||||
|
Roadmap of group and profile commands |
153 |
|
|
||||||||
|
Configuring groups |
156 |
|
|
|
|
|
|
|
|
||
|
Configuring client filters |
162 |
|
|
|
|
|
|
|
|||
|
Configuring extended profiles |
164 |
|
|
|
|
|
|||||
|
Creating RADIUS attributes to a group |
166 |
|
|
||||||||
|
Mapping linksets to a group or profile |
167 |
|
|
||||||||
|
Creating a default group |
169 |
|
|
|
|
|
|
|
|||
|
|
|
|
|
|
|
|
|||||
|
Configuring authentication |
|
|
|
|
|
171 |
|||||
|
Overview |
171 |
|
|
|
|
|
|
|
|
|
|
|
Before you begin |
172 |
|
|
|
|
|
|
|
|
||
|
Configuring authentication |
174 |
|
|
|
|
|
|
|
|||
|
Roadmap of authentication commands |
174 |
|
|
||||||||
|
Configuring authentication methods |
177 |
|
|
|
|||||||
|
Configuring advanced settings |
179 |
|
|
|
|
|
|||||
|
Configuring RADIUS authentication |
180 |
|
|
|
|||||||
|
Configuring LDAP authentication |
187 |
|
|
|
|
||||||
|
Configuring local database authentication |
200 |
|
|
||||||||
|
Specifying authentication fallback order |
209 |
|
|
||||||||
|
|
|
|
|||||||||
|
Managing system users and groups |
|
211 |
|||||||||
|
User rights and group membership |
211 |
|
|
|
|
||||||
|
Managing system users and groups |
212 |
|
|
|
|
||||||
|
Roadmap of system user management commands |
212 |
|
|||||||||
|
Managing user accounts and passwords |
|
213 |
|
|
|||||||
|
Managing user settings |
216 |
|
|
|
|
|
|
|
Managing user groups 217
CLI configuration examples 218
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
6
Customizing the portal and user logon |
227 |
||
Overview 227 |
|
|
|
Captive portal and Exclude List |
228 |
|
|
Portal display 230 |
|
|
|
Managing the end user experience 237 |
|
||
Customizing the portal and logon |
238 |
|
|
Roadmap of portal and logon configuration commands |
238 |
||
Configuring the captive portal |
240 |
|
|
Configuring the Exclude List |
240 |
|
|
Changing the portal language |
241 |
|
|
Configuring the portal display |
244 |
|
|
Changing the portal colors |
249 |
|
|
Configuring custom content |
250 |
|
|
Configuring linksets 251 |
|
|
|
Configuring links 253 |
|
|
|
Configuring system settings |
|
257 |
|||
Configuring the cluster |
257 |
|
|
|
|
Roadmap of system commands 258 |
|
||||
Configuring system settings |
262 |
|
|
||
Configuring the Nortel SNAS host |
264 |
|
|||
Configuring host interfaces |
268 |
|
|
||
Configuring static routes |
270 |
|
|
||
Configuring host ports |
271 |
|
|
|
|
Managing interface ports |
272 |
|
|
||
Configuring the Access List |
273 |
|
|
||
Configuring date and time settings |
274 |
|
|||
Configuring DNS servers and settings 276 |
|||||
Configuring RSA servers |
279 |
|
|
||
Configuring syslog servers |
|
279 |
|
|
|
Configuring administrative settings |
281 |
|
|||
Enabling TunnelGuard SRS administration |
284 |
||||
Configuring Nortel SNAS host SSH keys |
284 |
||||
Configuring RADIUS auditing 286 |
|
||||
Configuring authentication of system users |
290 |
||||
Configuration of auto blacklisting |
293 |
|
|||
Configuration of harden password |
295 |
|
Managing certificates |
297 |
Overview 297 |
|
Key and certificate formats 298 |
|
Creating certificates 299 |
|
Installing certificates and keys 299 |
|
Saving or exporting certificates and keys |
300 |
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
7
Updating certificates 300 |
|
|
|
Managing private keys and certificates |
301 |
|
|
Roadmap of certificate management commands 301 |
|
||
Managing and viewing certificates and keys 302 |
|
||
Generating and submitting a CSR |
305 |
|
|
Adding a certificate to the Nortel SNAS |
310 |
|
|
Adding a private key to the Nortel SNAS |
312 |
|
|
Importing certificates and keys into the Nortel SNAS |
314 |
||
Displaying or saving a certificate and key |
316 |
|
|
Exporting a certificate and key from the Nortel SNAS |
318 |
||
Generating a test certificate 320 |
|
|
|
Configuring SNMP |
323 |
Configuring SNMP 324 |
|
Roadmap of SNMP commands 324 |
|
Configuring SNMP settings |
325 |
Configuring the SNMP v2 MIB 326 |
|
Configuring the SNMP community 327 |
|
Configuring SNMPv3 users |
328 |
Configuring SNMP notification targets 331 |
|
Configuring SNMP events |
332 |
Viewing system information and performance statistics |
337 |
||
Viewing system information and performance statistics 337 |
|
||
Roadmap of information and statistics commands 337 |
|
||
Viewing system information |
339 |
|
|
Viewing alarm events |
344 |
|
|
Viewing log files 345 |
|
|
|
Viewing AAA statistics |
346 |
|
|
Viewing all statistics |
348 |
|
|
Kicking by username or address 349 |
|
||
Nortel SNAS TPS Interface |
349 |
|
Maintaining and managing the system |
351 |
|
Managing and maintaining the system 352 |
|
|
Roadmap of maintenance and boot commands |
352 |
|
Performing maintenance 353 |
|
|
Backing up or restoring the configuration |
356 |
|
Configuring the Nortel SNAS scheduler |
359 |
|
Managing Nortel SNAS devices 361 |
|
|
Managing software for a Nortel SNAS device |
363 |
Upgrading or reinstalling the software |
367 |
Upgrading the Nortel SNAS 367 |
|
Performing minor and major release upgrades |
368 |
Activating the software upgrade package 369
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
8
Reinstalling the software 372
Before you begin 372
Reinstalling the software from an external file server 373
Reinstalling the software from a CD 375
The Command Line Interface |
377 |
|
Connecting to the Nortel SNAS 378 |
||
Establishing a console connection |
378 |
|
Establishing a Telnet connection |
|
379 |
Establishing a connection using SSH 380 |
||
Accessing the Nortel SNAS cluster |
381 |
|
CLI Main Menu or Setup 383 |
|
|
Command line history and editing |
383 |
|
Idle timeout 383 |
|
|
Configuration example |
|
385 |
Scenario 385 |
|
|
Steps 387 |
|
|
Configure the network DNS server |
388 |
|
Configure the network DHCP server 388 |
|
|
Configure the network core router |
392 |
|
Configure the Ethernet Routing Switch 8300 |
393 |
|
Configure the Ethernet Routing Switch 5510 |
395 |
|
Configure the Nortel SNAS 397 |
|
|
Troubleshooting |
|
|
|
|
|
403 |
|
Troubleshooting tips |
403 |
|
|
|
|
||
Cannot connect to the Nortel SNAS using Telnet or SSH 403 |
|||||||
Cannot add the Nortel SNAS to a cluster |
405 |
||||||
Cannot contact the MIP |
406 |
|
|
|
|||
The Nortel SNAS stops responding |
407 |
|
|||||
A user password is lost |
408 |
|
|
|
|||
A user fails to connect to the Nortel SNAS domain 409 |
|||||||
Trace tools 409 |
|
|
|
|
|
|
|
System diagnostics |
410 |
|
|
|
|
||
Installed certificates |
410 |
|
|
|
|||
Network diagnostics |
410 |
|
|
|
|||
Active alarms and the events log file |
412 |
|
|||||
Error log files |
412 |
|
|
|
|
|
|
Using the CLI 413 |
|
|
|
|
|
|
|
Global commands |
|
414 |
|
|
|
|
|
Command line history and editing |
416 |
|
|||||
CLI shortcuts |
417 |
|
|
|
|
|
|
Using slashes and spaces in commands |
419 |
||||||
IP address and network mask formats |
420 |
||||||
|
|||||||
Nortel Secure Network Access Switch |
|||||||
|
Using the Command Line Interface |
||||||
|
NN47230-100 03.01 |
Standard |
|||||
|
|
|
28 July 2008 |
|
|
|
Copyright © 2007, 2008 Nortel Networks
9
Variables 420 |
|
|
|
|
|
CLI Main Menu |
421 |
|
|
|
|
CLI command reference 422 |
|
|
|||
Information menu |
422 |
|
|
||
Statistics menu |
423 |
|
|
||
Configuration menu |
424 |
|
|
||
Boot menu |
448 |
|
|
|
|
Maintenance menu |
449 |
|
|
||
Syslog messages by message type 451 |
|
||||
Operating system (OS) messages |
452 |
|
|||
System Control Process messages |
453 |
|
|||
Traffic Processing Subsystem messages 457 |
|
||||
Start-up messages |
461 |
|
|
||
AAA subsystem messages 461 |
|
|
|||
NSNAS subsystem messages 463 |
|
|
|||
Syslog messages in alphabetical order |
465 |
|
|||
Supported MIBs |
477 |
|
|
|
|
Supported traps |
481 |
|
|
|
|
485 |
|
|
|
|
|
Install All Administrative Tools (Windows 2000 Server) 485 |
|
||||
Register the Schema Management dll (Windows Server 2003) |
485 |
||||
Add the Active Directory Schema Snap-in (Windows 2000 Server and Windows |
|||||
Server 2003) |
486 |
|
|
||
Permit write operations to the schema (Windows 2000 Server) |
488 |
Create a new attribute(Windows 2000 Server and Windows Server 2003) 489 Create the new class 489
Configuring IP Phone auto-configuration 494 Creating the DHCP options 494
Configuring the Call Server Information and VLAN Information options 497
Setting up the IP Phone |
500 |
Configuring the logon script |
501 |
Creating a logon script 502 |
|
Creating the script as a batch file 502
Creating the script as a VBScript file 503
Assigning the logon script 503
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
10
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
11
.
Software license
This section contains the Nortel Networks software license.
Nortel Networks software license agreement
This Software License Agreement ("License Agreement") is between you, the end-user ("Customer") and Nortel Networks Corporation and its subsidiaries and affiliates ("Nortel Networks"). PLEASE READ THE FOLLOWING CAREFULLY. YOU MUST ACCEPT THESE LICENSE TERMS IN ORDER TO DOWNLOAD AND/OR USE THE SOFTWARE. USE OF THE SOFTWARE CONSTITUTES YOUR ACCEPTANCE OF THIS LICENSE AGREEMENT. If you do not accept these terms and conditions, return the Software, unused and in the original shipping container, within 30 days of purchase to obtain a credit for the full purchase price.
"Software" is owned or licensed by Nortel Networks, its parent or one of its subsidiaries or affiliates, and is copyrighted and licensed, not sold. Software consists of machine-readable instructions, its components, data, audio-visual content (such as images, text, recordings or pictures) and related licensed materials including all whole or partial copies. Nortel Networks grants you a license to use the Software only in the country where you acquired the Software. You obtain no rights other than those granted to you under this License Agreement. You are responsible for the selection of the Software and for the installation of, use of, and results obtained from the Software.
1.Licensed Use of Software. Nortel Networks grants Customer a nonexclusive license to use a copy of the Software on only one machine at any one time or to the extent of the activation or authorized usage level, whichever is applicable. To the extent Software is furnished for use with designated hardware or Customer furnished equipment ("CFE"), Customer is granted a nonexclusive license to use Software only on such hardware or CFE, as applicable. Software contains trade secrets and Customer agrees to treat Software as confidential information using the same care and discretion Customer uses with its own similar information that it does not wish to disclose, publish or disseminate. Customer will ensure that anyone who
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
12 Software license
uses the Software does so only in compliance with the terms of this Agreement. Customer shall not a) use, copy, modify, transfer or distribute the Software except as expressly authorized; b) reverse assemble, reverse compile, reverse engineer or otherwise translate the Software; c) create derivative works or modifications unless expressly authorized; or d) sublicense, rent or lease the Software. Licensors
of intellectual property to Nortel Networks are beneficiaries of this provision. Upon termination or breach of the license by Customer or in the event designated hardware or CFE is no longer in use, Customer will promptly return the Software to Nortel Networks or certify its destruction. Nortel Networks may audit by remote polling or other reasonable means to determine Customer’s Software activation or usage levels. If suppliers of third party software included in Software require Nortel Networks to include additional or different terms, Customer agrees to abide by such terms provided by Nortel Networks with respect to such third party software.
2.Warranty. Except as may be otherwise expressly agreed to in writing between Nortel Networks and Customer, Software is provided "AS IS" without any warranties (conditions) of any kind. NORTEL NETWORKS DISCLAIMS ALL WARRANTIES (CONDITIONS)
FOR THE SOFTWARE, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE AND ANY WARRANTY OF NON-INFRINGEMENT. Nortel Networks is not obligated to provide support of any kind for the Software. Some jurisdictions do not allow exclusion of implied warranties, and, in such event, the above exclusions may not apply.
3.Limitation of Remedies. IN NO EVENT SHALL NORTEL NETWORKS OR ITS AGENTS OR SUPPLIERS BE LIABLE FOR ANY OF THE FOLLOWING: a) DAMAGES BASED ON ANY THIRD PARTY CLAIM; b) LOSS OF, OR DAMAGE TO, CUSTOMER’S RECORDS, FILES OR DATA; OR c) DIRECT, INDIRECT, SPECIAL, INCIDENTAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES (INCLUDING LOST PROFITS OR SAVINGS), WHETHER IN CONTRACT, TORT OR OTHERWISE (INCLUDING NEGLIGENCE) ARISING OUT OF
YOUR USE OF THE SOFTWARE, EVEN IF NORTEL NETWORKS, ITS AGENTS OR SUPPLIERS HAVE BEEN ADVISED OF THEIR POSSIBILITY. The foregoing limitations of remedies also apply to any developer and/or supplier of the Software. Such developer and/or supplier is an intended beneficiary of this Section. Some jurisdictions do not allow these limitations or exclusions and, in such event, they may not apply.
4.General
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Nortel Networks software license agreement 13
a.If Customer is the United States Government, the following paragraph shall apply: All Nortel Networks Software available under this License Agreement is commercial computer software and commercial computer software documentation and, in the event Software is licensed for or on behalf of the United States Government, the respective rights to the software and software documentation are governed by Nortel Networks standard commercial license in accordance with U.S. Federal Regulations at 48 C.F.R. Sections 12.212 (for non-DoD entities) and 48 C.F.R. 227.7202 (for DoD entities).
b.Customer may terminate the license at any time. Nortel Networks may terminate the license if Customer fails to comply with the terms and conditions of this license. In either event, upon termination, Customer must either return the Software to Nortel Networks or certify its destruction.
c.Customer is responsible for payment of any taxes, including personal property taxes, resulting from Customer’s use of the Software. Customer agrees to comply with all applicable laws including all applicable export and import laws and regulations.
d.Neither party may bring an action, regardless of form, more than two years after the cause of the action arose.
e.The terms and conditions of this License Agreement form the complete and exclusive agreement between Customer and Nortel Networks.
f.This License Agreement is governed by the laws of the country in which Customer acquires the Software. If the Software is acquired in the United States, then this License Agreement is governed by the laws of the state of New York.
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
14 Software license
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
15
.
New in this release
The following sections detail what’s new in Nortel Secure Network Access Using the Command Line Interface, (NN47230-100) for Release 2.0.
•“Features” (page 15)
•“Other changes” (page 16)
Features
This is the second standard release of the document. See the following sections for information, which are added in this Release.
•“Configuring SSCPLite” (page 74)
•“Configuring SNMP Profiles” (page 75)
•“Creation of the location” (page 123)
•“Configuring Lumension PatchLink integration ” (page 124)
•“Creation of the location” (page 123)
•“Configuration of the RADIUS server” (page 127)
•“Configuration of Microsoft NAP Interoperability” (page 139)
•“Configuration of auto blacklisting” (page 293)
•“Configuration of harden password” (page 295)
•“Kicking by username or address” (page 349)
•“Nortel SNAS TPS Interface” (page 349)
•“Self service portal” (page 233)
•“Configuring the Nortel SNAS scheduler” (page 359)
On-the-fly SRS Policy Change—When a security policy is modified on the SNAS using the administrative tool the policy is updated on the
Nortel Health Agent running on the logged in operating systems. For more information, See the “Configuring the Nortel Health Agent check” (page 92).
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
16 New in this release
Multi-OS Applet Support—The Nortel Health captive portal applet supports Windows and non-Windows operating systems. For non-Windows operating systems the applet supports collecting operating systems information and VLAN transition. for more information, see the “Multi-OS Applet Support” (page 32).
Other changes
No changes.
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
17
.
Introduction
Nortel* Secure Network Access (Nortel SNAS ) is a clientless solution that provides seamless, secure access to the corporate network from inside or outside that network. The Nortel SNAS combines multiple hardware devices and software components to support the following features:
•partitions the network resources into access zones (authentication, remediation, and full access)
•provides continual device integrity checking using Nortel Health Agent
•supports both dynamic and static IP clients
The Nortel Secure Network Access Switch 4050or 4070 (Nortel SNAS 4050 or 4070) controls operation of the Nortel SNAS.
This user guide covers the process of implementing the Nortel SNAS using the Nortel SNAS 4050 or 4070 for Nortel Secure Network Access Switch Software Release 2.0. The document includes the following information:
•overview of the role of the Nortel SNAS 4050 or 4070 in the Nortel SNAS
•initial setup
•configuring authentication, authorization, and accounting (AAA) features
•managing system users
•customizing the portal
•upgrading the software
•logging and monitoring
•troubleshooting installation and operation
The document provides instructions for initializing and customizing the features using the Command Line Interface (CLI). To learn the basic structure and operation of the Nortel SNAS CLI, refer to “CLI reference” (page 413). This reference guide provides links to where the function
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
18 Introduction
and syntax of each CLI command are described in the document. For information on accessing the CLI, see “The Command Line Interface” (page 377).
BBI is a graphical user interface (GUI) that runs in an online, interactive mode. BBI allows the management of multiple devices (for example, the Nortel SNAS) from one application. For information about using BBI to configure and manage Nortel SNAS, see Nortel Secure Network Access Switch Configuration — Using the BBI, (NN47230-500).
Before you begin
This guide is intended for network administrators who have the following background:
•basic knowledge of networks, Ethernet bridging, and IP routing
•familiarity with networking concepts and terminology
•experience with windowing systems or GUIs
•basic knowledge of network topologies
Before using this guide, you must complete the following procedures. For a new switch:
Step Action
1Install the switch.
For installation instructions, see Nortel Secure Network Access Switch 4050 Installation Guide , (NN47230-300).
2Connect the switch to the network.
For more information, see “The Command Line Interface” (page 377).
--End--
Ensure that you are running the latest version of Nortel SNAS software. For information about upgrading the Nortel SNAS, see “Upgrading or reinstalling the software” (page 367).
Text conventions
This guide uses the following text conventions:
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
Text conventions 19
angle brackets (< >)
bold text
bold Courier text
braces ({})
brackets ([ ])
ellipsis points (. . . )
Enter text based on the description inside the brackets. Do not type the brackets when entering the command.
Example: If the command syntax is ping <ip_address>, you enter
ping 192.32.10.12
Objects such as window names, dialog box names, and icons, as well as user interface objects such as buttons, tabs, and menu items.
Command names, options, and text that you must enter.
Example: Use the dinfo command.
Example: Enter show ip {alerts|routes}.
Required elements in syntax descriptions where there is more than one option. You must choose only one of the options. Do not type the braces when entering the command.
Example: If the command syntax is
show ip {alerts|routes}, you must enter either show ip alerts or show ip routes, but not both.
Optional elements in syntax descriptions. Do not type the brackets when entering the command.
Example: If the command syntax is
show ip interfaces [-alerts], you can enter either show ip interfaces or
show ip interfaces -alerts.
Repeat the last element of the command as needed.
Example: If the command syntax is ethernet/2/1 [ <parameter> <value> ]..., you enter ethernet/2/1 and as many parameter-value pairs as needed.
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
20 Introduction
italic text
plain Courier text
separator ( > )
vertical line ( | )
Variables in command syntax descriptions. Also indicates new terms and book titles. Where a variable is two or more words, the words are connected by an underscore.
Example: If the command syntax is show at <valid_route>,
valid_route is one variable and you substitute one value for it.
Command syntax and system output, for example, prompts and system messages.
Example: Set Trap Monitor Filters
Menu paths.
Example: Protocols > IP identifies the IP command on the Protocols menu.
Options for command keywords and arguments. Enter only one of the options. Do not type the vertical line when entering the command.
Example: If the command syntax is
show ip {alerts|routes}, you enter either show ip alerts or show ip routes, but not both.
Related information
This section lists information sources that relate to this document.
Publications
Refer to the following publications for information on the Nortel SNAS:
•Nortel Secure Network Access Solution Guide, (NN47230-200)
•Nortel Secure Network Access Switch 4050 Installation Guide , (NN47230-300).
•Nortel Secure Network Access Switch 4050 User Guide for the CLI (NN47230-100),
•Installing and Using the Security,
•Release Notes for Nortel Ethernet Routing Switch 5500 Series, Software Release 5.0.1,
•Release Notes for the Ethernet Routing Switch 8300, Software Release 2.2.8 ,
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
How to get help 21
•Release Notes for the Nortel Secure Network Access Solution, Software Release 1.6.1 (NN47230-400),
•Release Notes for Enterprise Switch Manager (ESM), Software Release 5.2 (209960-H),
•Using Enterprise Switch Manager Release 5.1 (208963-F),
•Nortel Secure Network Access Switch Configuration — Using the BBI, (NN47230-500).
Online
To access Nortel technical documentation online, go to the Nortel web site:
http://www.nortel.com/support
You can download current versions of technical documentation. To locate documents, browse by category or search using the product name or number.
You can print the technical manuals and release notes free, directly from the Internet. Use Adobe* Reader* to open the manuals and release notes, search for the sections you need, and print them on most standard printers. Go to the Adobe Systems site at http://www.adobe.com to download a free copy of Adobe Reader.
How to get help
If you purchased a service contract for your Nortel product from a distributor or authorized reseller, contact the technical support staff for that distributor or reseller for assistance.
If you purchased a Nortel service program, use the http://www.nortel.com/h elp web page to locate information to contact Nortel for assistance:
•To obtain Nortel Technical Support contact information, click the CONTACT US link on the left side of the page.
•To call a Nortel Technical Solutions Center for assistance, click the CALL US link on the left side of the page to find the telephone number for your region.
An Express Routing Code (ERC) is available for many Nortel products and services. When you use an ERC, your call is routed to a technical support person who specializes in supporting that product or service. To locate the ERC for your product or service, go to the http://www.nortel.com/helpweb page and follow these links:
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
22 Introduction
Step Action
1Click CONTACT US on the left side of the HELP web page.
2Click Technical Support on the CONTACT US web page.
3Click Express Routing Codes on the TECHNICAL SUPPORT web page.
--End--
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
23
.
Overview
The Nortel Secure Network Access Solution Release 2.0 features are mapped to the relevant section(s) in this guide in the following table. For information on the Nortel SNAS Release 1.6.1 see Release Notes for Nortel Secure Network Access Solution Release 1.6.1, NN47230-400, (formerly 320850).
Table 1
Features on NSNA
Feature |
Section |
|
|
Performance and scalability |
Not applicable. |
enhancements: 20,000 concurrent |
|
users |
|
|
|
Support for hubs |
“Configuring local DHCP services” (page 115), “Hub |
|
DHCP subnet type” (page 118) |
|
|
Support for Nortel Ethernet Switch models |
“Configuring local DHCP services” (page 115), “Hub |
- 325 / 425 / 450 / 470 and 2500 series |
DHCP subnet type” (page 118) |
and Ethernet Routing Switch models - |
|
4500 series, 5500 series, 8300 and 8600. |
|
|
|
Support for WLAN Controller |
“Configuring local DHCP services” (page 115), “Hub |
|
DHCP subnet type” (page 118) |
|
|
Support of RADIUS server |
“Configuration of the RADIUS server” (page 127) |
|
|
Support of Microsoft NAP Interoperability |
“Configuration of Microsoft NAP Interoperability” (page |
|
139) |
|
|
Nortel Health Agent Run-Once, |
“Configuring groups” (page 156), “Managing the local |
Continuous and Never modes |
MAC database” (page 206) |
|
|
Support for MAC OSX, Linux OS, and |
“Configuring groups” (page 156) |
non-interactive devices |
|
|
|
MAC address policy services |
“Configuring groups” (page 156), “Managing the local |
|
MAC database” (page 206) |
|
|
Flexible deployment: Filter only and VLAN |
“Nortel SNAS enforcement types” (page 28), |
and filters deployment |
“Configuring groups” (page 156) |
|
|
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
24 Overview
ATTENTION
Switches that support the Switch to Nortel SNAS Communication Protocol (SSCP) are referred to as NSNA network access devices in this document. Generally, NSNA network access devices are the Ethernet Routing Switch 5500 Series and the Ethernet Routing Switch 8300. Specifically, Release 1.6.1 features are supported by the Ethernet Routing Switch 5500 Series, Release 5.0.2 and later.
ATTENTION
The character combination "<" appears instead of the character "<" in several command strings in this document. For example, <DN> rather than <DN>. Resolution is under investigation.
This chapter includes the following topics:
Topic
“The Nortel SNAS ” (page 24)
“Elements of the Nortel SNAS ” (page 25)
“Supported users” (page 25)
“Role of the Nortel SNAS ” (page 27)
“Nortel SNAS clusters” (page 35)
“Interface configuration” (page 35)
“Nortel SNAS configuration and management tools” (page 36)
“Nortel SNAS configuration roadmap” (page 37)
The Nortel SNAS
Nortel Secure Network Access Solution (Nortel SNAS ) is a protective framework to completely secure the network from endpoint vulnerability. The Nortel SNAS addresses endpoint security and enforces policy compliance. Nortel SNAS delivers endpoint security by enabling only trusted, role-based access privileges premised on the security level of the device, user identity, and session context. Nortel SNAS enforces policy compliance, such as for Sarbanes-Oxley and COBIT, ensuring that the required anti-virus applications or software patches are installed before users are granted network access.
For Nortel, success is delivering technologies providing secure access to your information using security-compliant systems. Your success is measured by increased employee productivity and lower network operations costs. Nortel’s solutions provide your organization with the network intelligence required for success.
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
The Nortel SNAS 25
Elements of the Nortel SNAS
The following devices are essential elements of the Nortel SNAS:
•Nortel Secure Network Access Switch 4050or 4070 (Nortel SNAS 4050 or 4070), which acts as the Policy Decision Point
•network access devices, which acts as the Policy Enforcement Point
—Ethernet Routing Switch 8300
—Ethernet Routing Switch 4500, 5510, 5520, or 5530
ATTENTION
NSNA Release 1.6.1 does not currently support the Ethernet Routing Switch 8300 as a Policy Enforcement Point.
•RADIUS, DHCP, and DNS servers
The following devices are additional, optional elements of the Nortel SNAS:
•remediation server
•corporate authentication services such as LDAP or RADIUS services
Each Nortel SNAS device can support up to five network access devices.
Supported users
The Nortel SNAS supports the following types of users:
•PCs using the following operating systems:
—Windows 2000 SP4
—Windows XP SP2
—Linux
—MAC OS
—Vista
The Nortel SNAS supports the following browsers:
—Internet Explorer version 6.0 or later
—Netscape Navigator version 7.3 or later
—Mozilla Firefox version 1.0.6 or later
Java Runtime Environment (JRE) for all browsers:
— JRE 1.6.0_04 or later
•VoIP phones
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
26 Overview
—Nortel IP Phone 2002
—Nortel IP Phone 2004
—Nortel IP Phone 2007
See Release Notes for the Nortel Secure Network Access Solution, Software Release 1.6.1 (NN47230-400), for the minimum firmware versions required for the IP Phones operating with different call servers.
Each Nortel SNAS -enabled port on a network access devices can support one PC (untagged traffic) and one IP Phone (tagged traffic). Softphone traffic is considered to be the same as PC traffic (untagged).
ATTENTION
Where there is both an IP Phone and a PC, the PC must be connected through the 3-port switch on the IP Phone.
Supporting additional users with the software license file
The standard Nortel SNAS 4050 implementation can support up to 200 authenticated user sessions. To support additional users on your Nortel SNAS 4050 switch, you must obtain a Nortel SNA software license
file. The software license file contains a software license key that you must enter into the Nortel SNAS 4050 switch to activate support for the additional users. The file can support an additional 100, 250, 500, or 1000 users.
ATTENTION
An authenticated IP Phone is considered to be a licensed user.
Your unique software license key is based on your switch MAC address. Before you obtain your software license file, first record the MAC address for the Nortel Secure Network Access Switch to be upgraded. To find the MAC address in the Command Line Interface, use the /info/local command.
To obtain your software license file, contact Nortel to order the Nortel SNA Software License Certificate. Follow the instructions on this certificate to obtain your software license file.
After you obtain the software license file from Nortel, you must copy the entire license key to the switch using the CLI or the BBI. When you copy the license key, ensure you include the BEGIN LICENSE and END LICENSE lines.
To copy the license key using the CLI, use the following command:
/cfg/sys/host <host ID> license <key>
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
The Nortel SNAS 27
The following shows a sample display of the CLI interface when copying the license key:
>>Main# cfg/sys/host Enter Host number: 1
>>iSD host 1# license
Paste the license, press Enter to create a new line, and then type "..." (without the quotation marks) to terminate.
>-----BEGIN LICENSE-----
>U4GsdGVkX36AJpnd8KL4iImtRzBvZy+iANDzxog22+vq6Qx4aawSl4FVQo
>lXYlsNNFJpYW/vl3osvNPXhzcLV2E9hNHlqirkzc5aLDJ+2xYpK/BRDrMZ
>86OQvdBMyer53xgq8Kk/5BvoFcQYvEC/yWrFyrmZr4XPtAr3qmuZ8UxLqJ
>0x7PUrp6tVI=
>-----END LICENSE-----
>...
License loaded
For more information, see “Configuring the Nortel SNAS host” (page 264).
To copy the license key using the BBI, use the Install New License screen (System > Hosts > host > Install New License).
To view the license using BBI, in the cluster select Cluster > Hosts > License from the menu. For more information, see Nortel Secure Network Access Switch Configuration — Using the BBI, (NN47230-500).
Role of the Nortel SNAS
The Nortel SNAS helps protect the network by ensuring endpoint compliance for devices that connect to the network.
Before allowing a device to have full network access, the Nortel SNAS checks user credentials and host integrity against predefined corporate policy criteria. Through tight integration with network access devices, the Nortel SNAS can:
•dynamically move the user into a quarantine VLAN
•dynamically grant the user full or limited network access
•dynamically apply per port firewall rules that apply to a device’s connection
Once a device has been granted network access, the Nortel SNAS continually monitors the health status of the device to ensure continued compliance. If a device falls out of compliance, the Nortel SNAS can dynamically move the device into a quarantine or remediation VLAN.
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
28 Overview
Nortel SNAS functions
The Nortel SNAS performs the following functions:
•Acts as a web server portal, which is accessed by users in clientless mode for authentication and host integrity check and which sends remediation instructions and guidelines to endpoint clients if they fail the host integrity check.
•Communicates with backend authentication servers to identify authorized users and levels of access.
•Acts as a policy server, which communicates with the Nortel Health Agent applet that verifies host integrity.
•Instructs the network access devices to move clients to the appropriate enforcement zones.
•Can be a DNS proxy in the Red VLAN when the Nortel SNAS functions as a captive portal
•Supports the RADIUS server
•Supports Microsoft NAP Interoperability.
•Performs session management.
•Monitors the health of clients and switches.
•Performs logging and auditing functions.
•Provides High Availability (HA) through IPmig protocol.
Nortel SNAS enforcement types
Nortel SNAS provides several enforcement types for restricting access to the network.
•VLANs and filters uses a combination of VLANs and filters to provide enforcement. It is available with NSNA network access devices; that is, devices that support SSCP (Switch-SNAS Communication Protocol), SSCP-Lite, and 802.1x switches.
•Filters only uses only filters to provide enforcement. It is available with NSNA network access devices.
•NSNA network access devices including Nortel Ethernet Switch models - 325, 425, 450, 470 and 2500 series and Ethernet Routing Switch models - 4500 series, 5500 series, 8300 and 8600 as well as third-party switches.
VLANs and filters
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
The Nortel SNAS 29
Four type of Layer 2 or Layer 3 VLANs are configured for VLANs and filters enforcement:
•Red—extremely restricted access. If the default filters are used, the user can communicate only with the Nortel SNAS and the Windows domain controller network. There is one Red VLAN for each network access devices.
•Yellow—restricted access for remediation purposes if the client PC fails the host integrity check. Depending on the filters and Nortel Health Agent rules configured for the network, the client may be directed to
a remediation server participating in the Yellow VLAN. There can be up to five Yellow VLANs for each network access devices. Each user group is associated with only one Yellow VLAN.
•Green—full access, in accordance with the user’s access privileges. There can be up to five Green VLANs for each network access devices.
•VoIP—automatic access for VoIP traffic. The network access devices places VoIP calls in a VoIP VLAN without submitting them to the Nortel SNAS authentication and authorization process.
When a client attempts to connect to the network, the network access devices places the client in its Red VLAN. The Nortel SNAS authenticates the client. By default, the Nortel SNAS then downloads a Nortel Health Agent applet to check the integrity of the client host. If the integrity check fails, the Nortel SNAS instructs the network access devices to move the client to a Yellow VLAN, with its associated filter. If the integrity check succeeds, the Nortel SNAS instructs the network access devices to move the client to a Green VLAN, with its associated filter. The network access devices applies the filters when it changes the port membership.
The VoIP filters allow IP phone traffic into preconfigured VoIP VLANs, for VoIP communication only.
The default filters can be modified to accommodate network requirements, such as Quality of Service (QoS) or specific workstation boot processes and network communications.
For information about configuring VLANs and filters on the network access devices, see Release Notes for Nortel Ethernet Routing Switch 5500 Series, Software Release 5.0.1, or Release Notes for the Ethernet Routing Switch 8300, Software Release 2.2.8 , .
To configure the Nortel SNAS for VLANs and filters enforcement, see “Configuring groups” (page 156), enftype.
Filters only
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks
30 Overview
Filters only enforcement uses two VLANs: Red and VoIP. A client computer is placed in the Red VLAN where it is held pending successful authentication. If successful, Nortel Health Agent integrity checking can be used to determine if remediation is required. Filters are applied to direct the client to the appropriate network resources but the client remains in the same VLAN regardless of its status. This contrasts with VLANs and filters where the client is moved to another VLAN in addition to applying filters. Filters only handles IP phones in the same manner as VLANs and filters.
With Filters only, there is less network configuration than with VLANs and filters because there are only two VLANs (Red and VoIP) to configure. However, the double layer of protection afforded with VLANs and filters is not provided.
To configure the Nortel SNAS for Filters only enforcement, see “Configuring groups” (page 156), enftype. Though configuring for Filters only can result in higher DNS demands on the Nortel SNAS, using the filter DHCP subnet type maintains these demands at the same level as with VLANs and filters: for more information, see “Configuring local DHCP services” (page 115).
DHCP hub subnet
DHCP hub subnet enforcement allows the Nortel SNAS to operate with a broader range of Nortel ethernet switches as well as third party network access devices. Unlike VLANs and filters and Filters only enforcement, DHCP hub subnet enforcement does not require SSCP support on the network access device.
The DHCP hub subnet configuration is an integral component of the DHCP services provided by the Nortel SNAS. For more information, see “Configuring local DHCP services” (page 115).
Groups and profiles
Users are organized in groups. In the user gorup we can specify Locaion also. Group membership determines:
•user access rights
Within the group, extended profiles further refine access rights depending on the outcome of the Nortel Health Agent checks.
•number of sessions allowed
•the Nortel Health Agent SRS rule to be applied
•what on the portal page after the user has been authenticated
Nortel Secure Network Access Switch
Using the Command Line Interface
NN47230-100 03.01 Standard
28 July 2008
Copyright © 2007, 2008 Nortel Networks